CVE-2026-45457: Microsoft Office Word RCE Vulnerability

CVE-2026-45457 Overview

CVE-2026-45457 is a local code execution vulnerability in Microsoft Office Word. The flaw stems from an untrusted pointer dereference condition mapped to [CWE-125] Out-of-Bounds Read. An unauthorized attacker can execute arbitrary code on the target system when a user opens a crafted document. Exploitation requires user interaction but no prior authentication. Successful exploitation grants the attacker the same privileges as the logged-on user, with high impact across confidentiality, integrity, and availability.

Critical Impact

Opening a malicious Word document triggers code execution in the user context, enabling malware delivery, data theft, and lateral movement from a single phishing payload.

Affected Products

• Microsoft Office Word (refer to the Microsoft CVE-2026-45457 Advisory for the authoritative list of affected builds)
• Microsoft 365 Apps deployments that include Word
• Standalone Office installations bundling the affected Word component

Discovery Timeline

• 2026-06-09 - CVE CVE-2026-45457 published to NVD
• 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45457

Vulnerability Analysis

The vulnerability is an untrusted pointer dereference inside Microsoft Office Word. Word parses richly structured binary and XML document content, and the affected code path uses attacker-controllable data to construct or follow a pointer without sufficient validation. When Word reads beyond an expected memory boundary, the resulting dereference operates on data the attacker can influence. The CWE-125 classification indicates the root operation is an out-of-bounds read that exposes or interprets adjacent memory as a pointer.

The attacker leverages this primitive to redirect execution flow. Combined with predictable memory layout or co-resident attacker data, the dereference becomes a code execution path. Code runs in the security context of the user opening the document, inheriting all of that user's rights on the host.

Root Cause

The root cause is missing or incorrect bounds and type validation when Word processes specific structures within a document file. The parser treats untrusted bytes as a valid pointer or pointer-derived value, then dereferences it without confirming the referenced memory is within an expected, properly typed region.

Attack Vector

The attack vector is local with required user interaction. An attacker delivers a weaponized document by email, web download, file share, or removable media. When the victim opens the file in Word, parsing reaches the vulnerable routine and triggers the dereference. Preview pane handling and Protected View status influence reachability, so attackers commonly pair the payload with social engineering that convinces users to enable editing.

No verified public exploit code is available for CVE-2026-45457. Refer to the Microsoft CVE-2026-45457 Advisory for vendor-provided technical details.

Detection Methods for CVE-2026-45457

Indicators of Compromise

• Microsoft Word (WINWORD.EXE) spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, or rundll32.exe.
• Word writing executable content (.exe, .dll, .js, .hta) to user-writable paths such as %TEMP%, %APPDATA%, or %PUBLIC%.
• Outbound network connections initiated directly by WINWORD.EXE to uncategorized or newly registered domains shortly after document open.
• Crash or Watson telemetry from WINWORD.EXE referencing access violations during document parsing.

Detection Strategies

• Hunt for Office process anomalies using parent-child process relationships, focusing on WINWORD.EXE as parent of shells, script hosts, or living-off-the-land binaries.
• Correlate document open events with subsequent file writes and network egress within a short time window.
• Inspect inbound email attachments and downloads for Word documents containing unusual embedded objects, OLE streams, or malformed structures.

Monitoring Recommendations

• Enable and forward Microsoft Defender Attack Surface Reduction (ASR) audit and block events for the rule that blocks Office applications from creating child processes.
• Centralize Sysmon process creation, image load, and file create events from endpoints running Word into the SIEM for retrospective hunting.
• Track patch state of Microsoft Office and Microsoft 365 Apps across the fleet and alert on hosts that fall behind the current security baseline.

How to Mitigate CVE-2026-45457

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft CVE-2026-45457 Advisory to every host running Word.
• Confirm Microsoft 365 Apps update channels are current and that delayed channels receive the fix on schedule.
• Prioritize patching for users handling external documents, including finance, HR, legal, and executive assistants.

Patch Information

Microsoft has published guidance and updates through the Microsoft Security Response Center. Administrators should consult the Microsoft CVE-2026-45457 Advisory for the specific KB numbers, build versions, and deployment instructions that apply to each affected channel and SKU.

Workarounds

• Enforce Protected View and Application Guard for documents originating from the internet, email, and untrusted file shares.
• Enable the Microsoft Defender ASR rule that blocks all Office applications from creating child processes.
• Disable preview handlers for Word documents in Outlook and Windows Explorer until patches are deployed.
• Block inbound .doc, .docx, .docm, and .rtf attachments from external senders at the mail gateway when business-justified.

# Enable the ASR rule that blocks Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A \
                 -AttackSurfaceReductionRules_Actions Enabled

# Force Protected View for files from the internet and unsafe locations via registry
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableInternetFilesInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableUnsafeLocationsInPV /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView" /v DisableAttachmentsInPV /t REG_DWORD /d 0 /f